Help getting started - Openssl

This is a discussion on Help getting started - Openssl ; Hey all,
I've been trying to put together a simple secure pop3 client (just login
and check number of available messages) to test out the openSSL library
but I can't seem to find any good tutorials or examples that really
...

Help getting started

Hey all,

I've been trying to put together a simple secure pop3 client (just login
and check number of available messages) to test out the openSSL library
but I can't seem to find any good tutorials or examples that really
explains what's going on with certificates. Can someone point me in the
direction of some documentation that might help me get started? Or at
least outline the process of setting up a tcp/ip client like this?

I expected that the process would be something like:
1. login
2. retrieve server's certificate
3. do something to decide if the client should trust it
4. then continue on my merry little way with pop transactions

From the documentation available, I can't quite wrap my head around the
SSL_CTX_load_verify_locations step (which, evidently, comes before
connecting to the server). It seems like this function is used to load
and validate some certificates, but I can't figure out whose. Are these
stored copies of servers' certificates or are they certificates to
identify the client computer? When the program first runs, these
certificates wont exist, correct? What needs to be verified at this
point? Is there a way to generate an empty certificate store if it
doesn't exist yet (first run case)?

RE: Help getting started

Replies inlined. Pls correct me if wrong.

Hey all,

I've been trying to put together a simple secure pop3 client (just login
and check number of available messages) to test out the openSSL library
but I can't seem to find any good tutorials or examples that really
explains what's going on with certificates. Can someone point me in the
direction of some documentation that might help me get started? Or at
least outline the process of setting up a tcp/ip client like this?

I expected that the process would be something like:
1. login
2. retrieve server's certificate
3. do something to decide if the client should trust it

---
I think you have to implement the callback function to determine whether the
client accepts the server cert
or rejects it.
---
4. then continue on my merry little way with pop transactions

From the documentation available, I can't quite wrap my head around the
SSL_CTX_load_verify_locations step (which, evidently, comes before
connecting to the server). It seems like this function is used to load
and validate some certificates, but I can't figure out whose.

----
Those are CA certificate(s), which would be reqd to verify the server cert.
----

Are these
stored copies of servers' certificates or are they certificates to
identify the client computer?

---
Server cert need not be stored in the client computer. The server cert will
be presented to the client
during the SSL handshake.
---

When the program first runs, these
certificates wont exist, correct? What needs to be verified at this
point?

---
Nothing is verified at this point. At this time, we say that these are my CA
certs and the incoming server cert
has to be validated against these CA certs.
---

Is there a way to generate an empty certificate store if it
doesn't exist yet (first run case)?

Any help would be appreciated.

Josh Bialkowski

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

RE: Help getting started

Hi,
> I've been trying to put together a simple secure pop3 client
> (just login
> and check number of available messages) to test out the
> openSSL library
> but I can't seem to find any good tutorials or examples that really
> explains what's going on with certificates.

AFAIK there aren't really any online tutorials for OpenSSL that
explain how to get started. I would recommend you buy the Open
SSL book "Network Security with OpenSSL".

You really need to understand how SSL works before trying to start
coding anything. OpenSSL has a /very/ steep learning curve IMHO.

Re: Help getting started

Thanks for the suggestion. I was hoping I could slap together something
simple and quick but if that is not the case, well, it's not the case.
My library has that book so I'll check it out and get started with that.

Thanks again.

Mark wrote:
> Hi,
>
>
>> I've been trying to put together a simple secure pop3 client
>> (just login
>> and check number of available messages) to test out the
>> openSSL library
>> but I can't seem to find any good tutorials or examples that really
>> explains what's going on with certificates.
>>
>
> AFAIK there aren't really any online tutorials for OpenSSL that
> explain how to get started. I would recommend you buy the Open
> SSL book "Network Security with OpenSSL".
>
> You really need to understand how SSL works before trying to start
> coding anything. OpenSSL has a /very/ steep learning curve IMHO.
>
> Good Luck!
>
> Mark
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>